GDPR roles
The customer remains controller for end-user and store data. CashFlowCanary acts as processor when the service processes data to monitor, alert, produce proof or provide the client cockpit.
Contractual DPA
The full DPA can be requested from support before contracting or deploying across a client portfolio. It covers purposes, data categories, security measures, further processing, GDPR assistance, reversibility and deletion.
Subprocessing principles
- Limit each subprocessor to a purpose required by the service.
- Never sell data or use it to profile end customers.
- Keep secrets, tokens and webhooks server-side.
- Filter proof to avoid card data, cookies, customer carts and full payloads.
Transfers and location
Hosting, email and payment choices must remain compatible with the customer's contractual commitments. Any location or transfer constraint should be framed before activation.
Notification and changes
Any durable change to a critical subprocessor must remain documented and communicable to affected customers. Specific requests go through support.